Early this month, the NAIC Cybersecurity (EX) Task Force released a preliminary working and discussion draft of an Insurance Data Security Model Law. While praise worthy in its effort to provide uniformity for data security and breach notification requirements among the states, at least with respect to the insurance industry, the draft clearly needs further development, input and revision, or it may do more harm than good. About a dozen trade associations signed on to a letter providing high level comments to point out a variety of conceptual problems with the preliminary draft, including the fact that the draft would authorize regulations that could vary from state to state, thereby undermining uniformity, and would create a private right of action. Additional critical observations include a statutory five calendar day requirement to provide notice of a data breach to the commissioner (which would mean the commissioner of each jurisdiction), and the ability for each commissioner to review and comment on the draft data breach notification, and to prescribe the appropriate level of consumer protection required and the period of time for which the protection will be provided.
We will continue to follow data security developments from the NAIC. A meeting of the NAIC Cybersecurity (EX) Task Force is scheduled for April 4.